<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2854636358152850&amp;ev=PageView&amp;noscript=1">
14 min read

SBA 320: How to Secure Your BAS Part 2

By Phil Zito on Mar 2, 2022 10:42:16 AM

Topics: Podcasts

In this episode, we continue our discussion on securing your BAS against cyber threats. We will discuss how to explore the cybersecurity capabilities of a BAS, discuss the limitations of cyber security controls, and will look at the human aspects of cyber security.

Click here to download or listen to this episode now.

Resources mentioned in this episode

Training Video


itunes-button-300x109
Subscribe via iTunes

stitcher
Subscribe via Stitcher

Transcript

Phil Zito 0:00
This is the smart buildings Academy podcast with Phil Zito episode 320. Hey folks, Phil Zito here and welcome to episode 320 of the smart buildings Academy podcast. In this episode we're going to continue discussing how to secure your building automation system. We are going to be looking at a couple different things in this episode. So in the previous episode, we went through kind of fundamentals, cybersecurity, talked about a couple things related to cybersecurity risks, risk assessments, controls, etc. So now we're going to look at cybersecurity capabilities of a BAS, we are going to look and discuss the limitations of cybersecurity controls and we're going to look at the human aspects of cybersecurity. As always, everything we discuss here can be found at podcasts, smart builders academy.com, forward slash 320. Once again, that's podcast dot smart buildings academy.com Ford slash 320. Alright, so as I mentioned in Monday's podcast episode, what happens in the world of building automation, cybersecurity is that we start off, right with a potential risk. And that risk is going to vary based on the type of building so you know, if you have a DOD facility, Department of Defense facility, that's going to have a different risk profile, then, you know, Jimmy Bob's three story office building, and because of that, we have to apply different levels of cybersecurity controls. And I talked to you that there are three primary types of controls physical, administrative, and logical controls. Now, what we're going to look at today, and we're going to discuss today are controls, we're also going to look at some specific things around building automation cybersecurity standards. So we're going to look at the building automation cybersecurity standards in regards to what the Department of Defense is promoting. So we're going to take a look at that. And then from there, we're going to go and we're going to go through just some basic things you can do. As far as securing your building automation system and understanding what in your building automation system can be secured. Alright, so I'm going to pop up my screen here. For those of you who are listening to the podcast, I will do my best to visually describe this, you can always go to podcasts, smart builders Academy, podcast, dot smart builders academy.com, forward slash 320, and you can view the video. Alright, so if you're looking at my screen here, you're seeing that I have NIST 853 Revision four. So this is security and privacy controls. And what we want to focus in on here. Like I mentioned, there's three types of controls. And this is a huge document. By the way, if you've never looked at this, it can be very intimidating. But if you're familiar with risk classification, in the DoD spear, so if you've ever sphere so if you've ever done any building automation work for Department of Defense, you know that they classify their buildings as low, medium high. And if you dive into actually the UFC, the United unified facilities criteria, which is kind of replacing ditz cap die cap Daya RMF. It's still got RMF built into it. But an RMF is risk management framework. But if you dive into that, they take it even a step further, where they dive into the CIA, which is confidentiality, integrity and availability. So I'm gonna talk about that real quickly the CIA triad. So the CIA triad is this confidentiality, integrity and availability. The majority of what we do from a cybersecurity controls perspective, is to basically shore up those three areas. Confidentiality is making sure that whatever is being communicated cannot be disclosed. In most cases,

confidentiality is not a major concern of building automation systems. There have been facilities that I've worked on, where you ended up having to actually separate the building automation networks from the entire building. And the reason why and I'm gonna actually throttle my sound down here just a little bit because it's, I think it's peaking a little loud. Alright, but as I was saying, one The things was that it was a electronics manufacturer and they were worried of actually people eavesdropping through sound vibrations coming across the field trunks of the field controllers. So obviously that is a physical control concerned with the confidentiality of what's going on in the building, then you have integrity. This is a big one for building automation systems as well as availability. Integrity is ensuring that if I send a chiller command to 55 degrees, it actually receives a 55 degree command. That's actually how the Stuxnet attack happened. Basically, they made the centrifuges look like they were spinning slower than they actually were. Through some false values. The centrifuges kept spinning, spinning, spinning, spinning faster, faster, faster, until they basically destroyed themselves. Did you have availability, which is also a primary concern of building automation, availability is the ability right to have access to our resources. In our case, our building automation resources, like our servers supervisory device. We'll talk about attack vectors for each of these a little bit later in this episode. But I want you to understand that when you're working with cybersecurity folks, and when you are addressing cybersecurity issues in the building automation space, like I said, In Monday's podcast, most of you, if you just have password policies, unique username requirements for each individual user, you have certificate and you patch your systems, and you enable HTTPS with the appropriate TLS version, then you're going to be pretty solid, you're going to be good. But if you go and work with anybody you know, like a large pharmaceutical, a large healthcare organization or government organization, then you're going to branch into the need for potentially more intense cybersecurity controls now NIST 853. In my opinion, while it's useful at understanding what controls are available, it's not very useful in how do we apply the controls and how do we interpret them, which is why I like this UFC document, I'm actually going to post this in the chat here. And this UFC document, and I'll link this at podcast at smart business academy.com forward slash 320. Why I like this, if we get about a third of two thirds of the way down, what you're gonna see, and I may not have got there yet. Let me see, I may actually have overshot it. Yeah, I overshot it. Alright, so about, yeah, about two thirds of the way down, you'll start to see these controls. They directly parallel with the NIST 800 controls and controls being cybersecurity, logical, technological, physical, or administrative, so process policy procedure that you can put in place to ensure that your system is secure. So you'll notice they're classified. And you'll notice that they are classified by low, medium, high. And you see like right here L L L dash L dash L. And that directly corresponds with the CIA triad, confidentiality, integrity, availability, no confidentiality. So

if you had something that was like L dash M dash L, it would mean confidentiality requirements are low integrity requirements are medium, and availability requirements are low. So as we start to dig into these categories, there are several different families. As far as cybersecurity controls are concerned. If we look at access control, what I like about this UFC standard is that it gives examples that are pertinent to building automation. So even if you don't implement DoD level cybersecurity, even if you're not being held accountable to the UFC standard, if you're ever working with a client who is concerned about cybersecurity, they are most likely going to be implementing something along the lines of NIST 800 Dash 53 Rev four and if you do 800 Dash 53 Rev four Then you start to dig into the controls. While they're not one for one. There are some similar controls, what you may find yourself challenged is, how does a specific control correspond to building automation? And that's where this UFC standard really shines is that it goes in here and it talks about, you know, for example, let me find a good one for you. Ah, and by the way, when you read through this, and you see level four, level two, etc, etc, that's specific to UFC, by the way. But if we go in here, and we see where's what I want, I want this one, permitted actions without identification or authentication. And so basically, what it's calling out here is that like some user access local display panels, Hoa switches may not support authentication, unnecessary physical security should be considered. So what are they saying here? Well, this is saying two things. Number one thing it's saying is when you go to the BAS, to the server to the Web user interface, you should not be able to have access to things that are outside of your role. And whatever is outside of your role should require authentication, meaning login and users. This is why I said earlier, if you have unique usernames, you have strong passwords. And I'll add a third thing, you have unique roles. And the roles have specific access to only the things they need to access, you're going to make your system more secure. And that's basically what this is saying. So you maybe have a user role, you have a engineer role, and then you have a power user Administrator role. And these different roles will have different access to different capabilities. Alright, I'm just gonna check make sure my sounds coming in. Good. Okay, sounds coming in. Good. Alright. Additionally, what it also points out, and I think this is strong, and it's something I hammer all the time when I'm talking to people about cybersecurity, is you can have the best logical and administrative security. But if you don't have proper physical security, none of it matters. And they do hammer that and they say, Hey, local display panels, Hoa switches, etc. You need to go and put the appropriate physical security into place. So if you are sitting there, and you're working with a customer, and they're like, I want to secure my building automation system, how do I do this, UFC is a really nice place to start. And it's something we're actually going to be potentially creating a course for down the road. But if I go here, and we look, I'm gonna go and look, where's the RMF? There it is. We look at RMF RMF is the risk management framework. And RMF is a six step process. That first we categorize the system. Now I'm not going to dive into how we categorize the system. But we categorize the system. And based on the system categorization. We have, you know, low, medium, high, and a system.

I don't necessarily agree with this. But a system at least according to the RFC model is a level is a five level model. Level zero being your sensor actuators level one being your field controllers, level two being field controllers that are IP, level three being they call it field point of connection. We're talking supervisory devices and routers. They can also argue that this is their actual it level connection as well. Level four being front end and IP network and then level five being any external connections. So you can start to see kind of the goofy little overlap in here. Things that can be a little confusing, but depending on how this is interpreted. Level two can be your supervisory devices. Or level three can be your supervisory device, but it's typically interpreted level zeros actuators, level ones, field controllers and trunks. Level two is supervisory devices. Level three is switches and routers. level four is servers. And then level five is going to be kind of your external connections, right? Why does any of that matter? Well, because if we go back to our risk management framework case, I get back up to that real quick. Where did she go? My little buddy. I literally just had it a second ago, I wish there was an easier way to get back to things. Then we go based on categorization of our levels, we select our security controls, this is where I was telling you, we're going to go and we're going to say, okay, these security controls apply to these levels, then we implement them. So selecting the security controls, this is engineering phase, right? This is where Architects Engineers are going to review and the controls contractors are going to select. So then they get implemented, right, implemented, and then they get assessed to ensure that they're working, and then the system gets authorized. And then the key part being that it's monitored. So if we think about this, from a parallel, which would be like a engineering approach to building out a building, step one would be kind of our use case mapping with an architect, so that we can go in and kind of set aside funds to build a building. And we can figure out kind of what we want, where we're scoping the needs. Number two is selection and design. Three would be like, Okay, we've got our construction documents we're implementing four would be like commissioning, right, we're assessing five would be or sorry, four would be like point to point and functional test, five would be like commissioning. And then six would be, you know, ongoing monitoring and support warranty phase post. That's kind of how this parallels to an engineer design. Okay. So if we dive a little deeper, we've got a ton of different access, or control families, as they like to call them. And as I mentioned, once you've defined your security levels, or your security classifications for your levels, then you start to select your appropriate controls, right. And we can see that they have a lot of different controls that are listed on here. And if we go back up, we can see the individual controls. And as I mentioned, we can see how these are implemented, how they're measured in the different parts of this process. Alright, let me switch off of this and switch back here. So so far, right, we've went through talking about in greater detail how we go and do classification of our systems. We go, we talked about how do we go once we've classified our systems and select controls. I've talked about the human aspects of cybersecurity. Now we're going to talk about our cybersecurity capabilities of our bas because at the end of the day, what you're going to learn as you do these controls are the majority of these controls can be implemented. In a or sorry, the majority of these controls cannot be implemented via a building automation system. They actually require some sort of outside technology, or they require some sort of outside process.

For example, as we look at access control, right, so we see that we have access control. And we see access control for transmission medium, which is p three, or P E four. So on my screen now. And what we're saying is that, okay, we need to go and coordinate with the electrical designer for conduit requirements so that people can't physically access the transportation medium, meaning the RS 45 truck. Now, here's the deal. That is a physical control. That is not something that you're necessarily going to set in the building automation system. There's no setting to make Rs 45. Secure, there's just not. So what do we do? Well, it says that we can see SC eight, which will give us a little bit more clarity on this. But physical security is going to be our answer. We're going to have to physically secure our building automation system trunks. Now that's going to require coordination with the electrical contractor that's going to cause require additional cost potentially So we can see in SC eight, that alternate Physical Safeguards such as protected distribution system can be employed. So we'd have to understand what that means. There's a variety of interpretations to that as well. But you can start to see how these things are interconnected. Things like vulnerability scanning, something you've probably never done. But you need to be conscious that on some cases, it may be required. Alright, let's go up. And I want to look at more of the access controls, because the access controls tend to be,

excuse me, the stuff that we can implement a lot of the integrity, a lot of the authentication is coming along. And we're granting, gaining greater capabilities to be able to do that. But for most of us, our access control is and our auditing are going to be things were able to implement in the control system. But here, right, we can see our access control, we can see permitted actions, I talked about that a little bit earlier, on successful login attempts system, use notification, session locks, these are all things that can be implemented as part of your building automation, system design, you know, you can go and do session timeouts, you can do session locks, you could do system use notifications, you can do unsuccessful login attempts, you could do least privileged, as long as you set up the appropriate roles. There's all sorts of things that you can do in your control system to make these. Alright, so at the end of the day, how do we know if we can do these things? There's no one simple answer, it's a matter of going, understanding the control you're trying to implement. And then going back to your manufacturer, either through their documentation, or what I recommend through your distributor. Or if you directly work for an original equipment manufacturer OEM, then go directly to like your regional field support manager, or your support manager, whoever that is. And then you ask them about the capabilities. You know, do we support authentication between devices? Now, if you've got BACnet, Sc, there's authentication, some systems have authentication, just by default? Do we have the capability to do lease privilege? Do we have the ability to do session lock most modern systems do? So this is where you would go to your OEM. And you would dig in to understand how exactly you approach this, and what exactly you do. Alright, I know this has been more in the weeds more technical. And the reality is, for a lot of you, you're not going to work on DoD work. And I know it seems like I'm sitting here saying, Hey, this is important, but it's not important. But it is important. While maybe you're not going to be doing DoD work and having to run through the UFC, or running through NIST 800 Special Publication, and going and doing that whole like NIST 830 risk assessment process and then implementing, you know, 800, special, special public 853 ref for an implementing controls. While you may not be doing that, you most likely do have customers who could benefit from having a more secure system. And being aware of these frameworks and how to take the information in these frameworks and apply them even in a partial application is going to make your customers more secure. And it's a value add service that you could potentially sell to your customers or use to differentiate you from your competition. So hey, thanks a ton for listening to this. I hope this gave you a little bit more clarity. Like I said before, please ask whatever questions you have in the chat. Let me know what questions you got. I'd love to go and answer them for you. I know that these episodes are a little more on the technical side, but it's important. Everyone out there is talking about energy, talking about green, this green that blah, blah, blah, blah, blah. And the thing is, is that at the end of the day, energy can change with a simple change of whoever's in office at the time, cybersecurity is going to remain and become ever more important as we further distance ourselves from serial networks moving towards IP networks moving towards more compete at the edge. Cybersecurity is going to become increasingly important especially as hackers start to realize that they can use our systems as launchpads to make attacks into business networks and into facilities. Right now we're still very much a shielded Technology set as far as being used as an attack vector, but that will continue to change as we add more and more IP enabled devices. So thanks a ton for listening. Once again, everything's available podcasts at Smart builders academy.com forward slash 320. If you have any questions, hit us up there. And I will see you all Friday. Take care

Phil Zito

Written by Phil Zito

Want to be a guest on the Podcast?

 

BE A GUEST